Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Sep 2013 11:44:19 -0700
From:      Michael Sierchio <kudzu@tenebras.com>
To:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject:   Re: stopping an attack (fraggle like)
Message-ID:  <CAHu1Y720fvmHFLHif-qAo%2BGG=i3rFv=j=iGU8dA8b03cKEKiYQ@mail.gmail.com>
In-Reply-To: <CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ@mail.gmail.com>
References:  <CAOWR6cAGoC=4SSSfbg1NCZWb3NGryG8%2B5N6Kz-72kLP00GpQTQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
I would certainly not use stateful rules.  If you can't influence the
upstream pipes at all, then your best bet is to used GRED, which is
implemented in dummynet.  There is a good bit of literature about
this, but the tuning of the drop will be empirically determined.

Fragmented packets won't contain port numbers anyway, but you could do this

ipfw add allow ip from any to any via lo0
ipfw add reass all from any to any in recv $IF_WAN

...

don't pass link-local packets through dummynet.

- M



On Wed, Sep 25, 2013 at 10:23 AM, NetOps Admin <netops.admin@epsb.ca> wrote:
> Hi,
>        We are currently getting hit with a DoS attack that looks very
> similar to a Fraggle attack. We are seeing a large amount of UDP traffic
> coming at us from thousands of hosts.  The source UDP port is 19 (chargen)
> and when it hits it consumes a 2Gb/s link.
>
>        Our main router is a FreeBSD server with ipfw installed.  I have
> tried blocking UDP port 19 incoming from the internet in a firewall rule
> but the UDP packets are very large and they are followed by a number of
> fragmented packets.  I think that even though I am blocking port 19, the
> fragmented packets are getting though and eating up the bandwidth.
>
>       I am a little hesitant of using a UDP deny rule with "keep-state" to
> try and block the following fragmented packets.  I don't want to cause
> memory issues.
>
>       Can I use keep-state with a deny rules?  Will it have issues if I use
> keep-state to track thousands of hosts in a saturated 2 Gb/s link?
>
>       Any ideas on how others are controlling this?
>
> Thanks
>
> ----- Kirk
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y720fvmHFLHif-qAo%2BGG=i3rFv=j=iGU8dA8b03cKEKiYQ>